New Sykipot Variant Targets Defense Sector Smart Card Credentials

A new variant of the Sykipot Trojan is targeting smart cards used by customers such as the Department of Defense to gain access to restricted resources, said Alienvault.

Researchers uncovered a new variant of
the Sykipot Trojan that targeted smart cards used by a number of high-security
companies and public agencies, including the United States Department of
Defense.
The new variant of the Sykipot malware
family is capable of stealing PIN codes used with smart cards to gain access to
restricted systems, Jamie Blasco, a security researcher at Alienvault, wrote on
the Alienvault Labs blog Jan. 12.

The variant was first compiled in March
2011 and has since been spotted in dozens of samples, according to Blasco. The
researchers were able to test that the malware had the capability to steal
credentials, but had no proof attackers had actually succeeded in doing so, nor
any way of estimating how many credentials might have been lifted, Blasco said.

Sykipot has been implicated in previous
spear phishing attacks against defense industries. The latest Sykipot variant
was compiled with "the purpose of obtaining information from the defense
sector" and targeted Windows systems using ActivIdentity's ActivClient
smart card authentication software, according to Blasco. ActivIdentity did not
respond to eWEEK's request for
comment.
The Department of Defense included
ActivClient as part of its Common Access Card smart card deployment. Users
swipe smart cards through a special reader attached to computers to access
sensitive applications or restricted resources. Smart cards usually use digital
certificates and PIN codes to authenticate the user before granting access.
"While Trojans that have targeted
smart cards are not new, there is obvious significance to the targeting of a
particular smart card system in wide deployment by the U.S. DoD and other
government agencies, particularly given the nature of the information the
attackers seem to be targeting for exfiltration," Blasco said.
The attack begins with a spear-phishing
email message with a corrupted PDF document attached. When opened, the file
exploits a recently patched Adobe vulnerability to install the Sykipot Trojan
code onto the victim's computer. When installed, the malware uses a keylogger
to steal the card's PIN, according to Blasco. Along with smart card log-in
credentials, the malware variant can also list the public key infrastructure
certificates on the computer's local certificate store.
The variant is capable of using the PIN
and digital certificates to "silently use the card to authenticate to
secure resources, so long as the card remains physically present in the card
reader," Blasco wrote.
The Sykipot attack should "not be
surprising," Mark Diodati, a research vice president at Gartner, wrote on
the Gartner blog. "Our clients have seen similar
attacks in the wild for at least three years," Diodati said, noting that
he has been discussing this attack vector since 2006.
Even though smart card authentication
is "widely held" as the gold standard for commercial user
authentication, organizations should remember that no authentication method is
bulletproof, according to Diodati. Organizations need to implement additional
layers, including anti-malware software, user activity analysis and network
forensics, he said.
Adobe patched the remote code execution flaw in Adobe Reader X and
lower that was being exploited by this version of Sykipot as part of its
quarterly update on Jan. 10. An earlier emergency patch fixed the same flaw in
Adobe Reader 9 for Windows.
Alienvault researchers believe the team
behind this variant is the same group that was behind the Sykipot attack uncovered by Symantec researchers
in December that targeted defense contractors, telecommunications firms,
computer hardware companies, chemical companies and energy companies.
"We believe it's the same group of
attackers. They have been using the same techniques, even sharing some parts of
the code in other attacks," Blasco said.